From 45bbf95972777e9499996d56a873c2a304815b3f Mon Sep 17 00:00:00 2001
From: msquare <msquare@notrademark.de>
Date: Tue, 27 Sep 2016 17:24:18 +0200
Subject: fix settings validation

---
 includes/model/Settings_model.php |  63 ++++++++--------
 includes/mysqli_provider.php      |  40 +++++-----
 includes/pages/admin_settings.php | 155 ++++++++++++++++++++------------------
 includes/sys_page.php             |  74 ++++++++++++++++++
 test/phpunit.xml                  |   4 +-
 5 files changed, 210 insertions(+), 126 deletions(-)

diff --git a/includes/model/Settings_model.php b/includes/model/Settings_model.php
index 2351e8c7..07e3b677 100644
--- a/includes/model/Settings_model.php
+++ b/includes/model/Settings_model.php
@@ -1,40 +1,43 @@
 <?php
+
 /**
- * Update Setting.
- *
- * @param string $event_name          
- * @param int $buildup_start_date
- * @param int $event_start_date
- * @param int $event_end_date
- * @param int $teardown_end_date                   
- * @param string $event_welcome_msg 
+ * Get settings.
  */
-function Settings_update($event_name, $buildup_start_date, $event_start_date, $event_end_date, $teardown_end_date, $event_welcome_msg) {
-  return sql_query("UPDATE `Settings` SET
-      `event_name`='" . sql_escape($event_name) . "', 
-      `buildup_start_date`='" . sql_escape($buildup_start_date) . "',
-      `event_start_date`='" . sql_escape($event_start_date) . "',
-      `event_end_date`='" . sql_escape($event_end_date) . "',
-      `teardown_end_date`='" . sql_escape($teardown_end_date) . "',        
-      `event_welcome_msg`='" . sql_escape($event_welcome_msg) . "'");
+function Settings() {
+  $settings = sql_select("SELECT * FROM `Settings` LIMIT 1");
+  if ($settings === false)
+    return false;
+  if (count($settings) > 0)
+    return $settings[0];
+  return null;
 }
+
 /**
- * Create Settings.
+ * Update Settings.
  *
  * @param string $event_name          
- * @param int $buildup_start_date
- * @param int $event_start_date
- * @param int $event_end_date
- * @param int $teardown_end_date                   
- * @param string $event_welcome_msg 
+ * @param int $buildup_start_date          
+ * @param int $event_start_date          
+ * @param int $event_end_date          
+ * @param int $teardown_end_date          
+ * @param string $event_welcome_msg          
  */
-function Settings_create($event_name, $buildup_start_date, $event_start_date, $event_end_date, $teardown_end_date, $event_welcome_msg) {
-  return sql_query("INSERT INTO `Settings` SET
-      `event_name`='" . sql_escape($event_name) . "', 
-      `buildup_start_date`='" . sql_escape($buildup_start_date) . "',
-      `event_start_date`='" . sql_escape($event_start_date) . "',
-      `event_end_date`='" . sql_escape($event_end_date) . "',
-      `teardown_end_date`='" . sql_escape($teardown_end_date) . "',        
-      `event_welcome_msg`='" . sql_escape($event_welcome_msg) . "'");
+function Settings_update($event_name, $buildup_start_date, $event_start_date, $event_end_date, $teardown_end_date, $event_welcome_msg) {
+  if (Settings() == null) {
+    return sql_query("INSERT INTO `Settings` SET
+      `event_name`=" . sql_null($event_name) . ",
+      `buildup_start_date`=" . sql_null($buildup_start_date) . ",
+      `event_start_date`=" . sql_null($event_start_date) . ",
+      `event_end_date`=" . sql_null($event_end_date) . ",
+      `teardown_end_date`=" . sql_null($teardown_end_date) . ",
+      `event_welcome_msg`=" . sql_null($event_welcome_msg));
+  }
+  return sql_query("UPDATE `Settings` SET
+      `event_name`=" . sql_null($event_name) . ", 
+      `buildup_start_date`=" . sql_null($buildup_start_date) . ",
+      `event_start_date`=" . sql_null($event_start_date) . ",
+      `event_end_date`=" . sql_null($event_end_date) . ",
+      `teardown_end_date`=" . sql_null($teardown_end_date) . ",        
+      `event_welcome_msg`=" . sql_null($event_welcome_msg));
 }
 ?>
diff --git a/includes/mysqli_provider.php b/includes/mysqli_provider.php
index 4a3f2a45..7197b95a 100644
--- a/includes/mysqli_provider.php
+++ b/includes/mysqli_provider.php
@@ -5,7 +5,7 @@
  */
 function sql_close() {
   global $sql_connection;
-
+  
   return $sql_connection->close();
 }
 
@@ -21,7 +21,7 @@ function sql_null($value = null) {
  */
 function sql_transaction_start() {
   global $sql_nested_transaction_level;
-
+  
   if ($sql_nested_transaction_level ++ == 0)
     return sql_query("BEGIN");
   else
@@ -33,7 +33,7 @@ function sql_transaction_start() {
  */
 function sql_transaction_commit() {
   global $sql_nested_transaction_level;
-
+  
   if (-- $sql_nested_transaction_level == 0)
     return sql_query("COMMIT");
   else
@@ -45,7 +45,7 @@ function sql_transaction_commit() {
  */
 function sql_transaction_rollback() {
   global $sql_nested_transaction_level;
-
+  
   if (-- $sql_nested_transaction_level == 0)
     return sql_query("ROLLBACK");
   else
@@ -55,17 +55,17 @@ function sql_transaction_rollback() {
 /**
  * Logs an sql error.
  *
- * @param string $message
+ * @param string $message          
  * @return false
  */
 function sql_error($message) {
   sql_close();
-
+  
   $message = trim($message) . "\n";
   $message .= debug_string_backtrace() . "\n";
-
+  
   error_log('mysql_provider error: ' . $message);
-
+  
   return false;
 }
 
@@ -84,21 +84,21 @@ function sql_error($message) {
  */
 function sql_connect($host, $user, $pass, $db) {
   global $sql_connection;
-
+  
   $sql_connection = new mysqli($host, $user, $pass, $db);
   if ($sql_connection->connect_errno) {
-      error("Unable to connect to MySQL: " . $sql_connection->connect_error);
+    error("Unable to connect to MySQL: " . $sql_connection->connect_error);
     return sql_error("Unable to connect to MySQL: " . $sql_connection->connect_error);
   }
-
+  
   $result = $sql_connection->query("SET CHARACTER SET utf8;");
   if (! $result)
     return sql_error("Unable to set utf8 character set (" . $sql_connection->errno . ") " . $sql_connection->error);
-
+  
   $result = $sql_connection->set_charset('utf8');
   if (! $result)
     return sql_error("Unable to set utf8 names (" . $sql_connection->errno . ") " . $sql_connection->error);
-
+  
   return $sql_connection;
 }
 
@@ -119,12 +119,12 @@ function sql_select_db($db_name) {
 /**
  * MySQL SELECT query
  *
- * @param string $query
+ * @param string $query          
  * @return Result array or false on error
  */
 function sql_select($query) {
   global $sql_connection;
-
+  
   $result = $sql_connection->query($query);
   if ($result) {
     $data = array();
@@ -138,12 +138,12 @@ function sql_select($query) {
 /**
  * MySQL execute a query
  *
- * @param string $query
+ * @param string $query          
  * @return mysqli_result boolean resource or false on error
  */
 function sql_query($query) {
   global $sql_connection;
-
+  
   $result = $sql_connection->query($query);
   if ($result) {
     return $result;
@@ -164,7 +164,7 @@ function sql_id() {
 /**
  * Escape a string for a sql query.
  *
- * @param string $query
+ * @param string $query          
  * @return string
  */
 function sql_escape($query) {
@@ -175,7 +175,7 @@ function sql_escape($query) {
 /**
  * Convert a boolean for mysql-queries.
  *
- * @param boolean $boolean
+ * @param boolean $boolean          
  * @return string
  */
 function sql_bool($boolean) {
@@ -185,7 +185,7 @@ function sql_bool($boolean) {
 /**
  * Count query result lines.
  *
- * @param string $query
+ * @param string $query          
  * @return int Count of result lines
  */
 function sql_num_query($query) {
diff --git a/includes/pages/admin_settings.php b/includes/pages/admin_settings.php
index 6a78f97b..ebee1305 100644
--- a/includes/pages/admin_settings.php
+++ b/includes/pages/admin_settings.php
@@ -1,87 +1,94 @@
 <?php
+
 function admin_settings_title() {
   return _("Settings");
 }
+
 function admin_settings() {
-  $settings_source = sql_select("SELECT * FROM `Settings`");
-  if (count($settings_source) == 1) {
-    $event_name = $settings_source[0]['event_name'];
-    $buildup_start_date = $settings_source[0]['buildup_start_date']; 
-    $event_start_date = $settings_source[0]['event_start_date'];
-    $event_end_date = $settings_source[0]['event_end_date'];
-    $teardown_end_date = $settings_source[0]['teardown_end_date']; 
-    $event_welcome_msg = $settings_source[0]['event_welcome_msg'];
+  $event_name = null;
+  $event_welcome_msg = null;
+  $buildup_start_date = null;
+  $event_start_date = null;
+  $event_end_date = null;
+  $teardown_end_date = null;
+  
+  $settings_source = Settings();
+  if ($settings_source === false)
+    engelsystem_error('Unable to load settings.');
+  if ($settings_source != null) {
+    $event_name = $settings_source['event_name'];
+    $buildup_start_date = $settings_source['buildup_start_date'];
+    $event_start_date = $settings_source['event_start_date'];
+    $event_end_date = $settings_source['event_end_date'];
+    $teardown_end_date = $settings_source['teardown_end_date'];
+    $event_welcome_msg = $settings_source['event_welcome_msg'];
   }
+  
   if (isset($_REQUEST['submit'])) {
     $ok = true;
-  if (isset($_REQUEST['event_name']))
-    $event_name = strip_request_item('event_name');  
-  if (isset($_REQUEST['buildup_start_date']) && $_REQUEST['buildup_start_date'] != '') {
-    if (DateTime::createFromFormat("Y-m-d", trim($_REQUEST['buildup_start_date']))) {
-      $buildup_start_date = DateTime::createFromFormat("Y-m-d", trim($_REQUEST['buildup_start_date']))->getTimestamp();
-    } else {
-        $ok = false;
-        $msg .= error(_("Please enter buildup start date."), true);
-      }
-  } else
-    $buildup_start_date = null;
-  if (isset($_REQUEST['event_start_date']) && $_REQUEST['event_start_date'] != '') {
-    if (DateTime::createFromFormat("Y-m-d", trim($_REQUEST['event_start_date']))) {
-      $event_start_date = DateTime::createFromFormat("Y-m-d", trim($_REQUEST['event_start_date']))->getTimestamp();
-    } else {
-      $ok = false;
-      $msg .= error(_("Please enter event start date."), true);
-      }
-  } else
-    $event_start_date = null;
-  if (isset($_REQUEST['event_end_date']) && $_REQUEST['event_end_date'] != '') {
-    if (DateTime::createFromFormat("Y-m-d", trim($_REQUEST['event_end_date']))) {
-      $event_end_date = DateTime::createFromFormat("Y-m-d", trim($_REQUEST['event_end_date']))->getTimestamp();
-    } else {
-        $ok = false;
-        $msg .= error(_("Please enter event end date."), true);
-      }
-  } else
-    $event_end_date = null;
-  if (isset($_REQUEST['teardown_end_date']) && $_REQUEST['teardown_end_date'] != '') {
-    if (DateTime::createFromFormat("Y-m-d", trim($_REQUEST['teardown_end_date']))) {
-      $teardown_end_date = DateTime::createFromFormat("Y-m-d", trim($_REQUEST['teardown_end_date']))->getTimestamp();
-    } else {
-      $ok = false;
-      $msg .= error(_("Please enter teardown end date."), true);
+    
+    if (isset($_REQUEST['event_name']))
+      $event_name = strip_request_item('event_name');
+    if ($event_name == '')
+      $event_name = null;
+    
+    if (isset($_REQUEST['event_welcome_msg']))
+      $event_welcome_msg = strip_request_item_nl('event_welcome_msg');
+    if ($event_welcome_msg == '')
+      $event_welcome_msg = null;
+    
+    $result = check_request_date('buildup_start_date', _("Please enter buildup start date."), true);
+    $buildup_start_date = $result->getValue();
+    $ok &= $result->isOk();
+    
+    $result = check_request_date('event_start_date', _("Please enter event start date."), true);
+    $event_start_date = $result->getValue();
+    $ok &= $result->isOk();
+    
+    $result = check_request_date('event_end_date', _("Please enter event end date."), true);
+    $event_end_date = $result->getValue();
+    $ok &= $result->isOk();
+    
+    $result = check_request_date('teardown_end_date', _("Please enter teardown end date."), true);
+    $teardown_end_date = $result->getValue();
+    $ok &= $result->isOk();
+    
+    if ($ok) {
+      $result = Settings_update($event_name, $buildup_start_date, $event_start_date, $event_end_date, $teardown_end_date, $event_welcome_msg);
+      
+      if ($result === false)
+        engelsystem_error("Unable to update settings.");
+      
+      success(_("Settings saved."));
+      redirect(page_link_to('admin_settings'));
     }
-  } else
-      $teardown_end_date = null;
-  if (isset($_REQUEST['event_welcome_msg']))
-    $event_welcome_msg = strip_request_item('event_welcome_msg');
-}
-if ($ok) {
-  if (count($settings_source) == 1)
-    Settings_update($event_name, $buildup_start_date, $event_start_date, $event_end_date, $teardown_end_date, $event_welcome_msg);
-  else
-    Settings_create($event_name, $buildup_start_date, $event_start_date, $event_end_date, $teardown_end_date, $event_welcome_msg);
+  }
   
-  success(_("Settings saved."));
-  redirect(page_link_to('admin_settings'));
-}
-  return page_with_title(admin_settings_title(), array(
-      $msg,
+  return page_with_title(admin_settings_title(), [
       msg(),
-      div('row', array(
-          div('col-md-12', array(
-              form(array(
-                form_info('', _("Here you can change event information.")),
-                form_text('event_name', _("Event Name"), $event_name),
-                form_date('buildup_start_date', _("Buildup date"), $buildup_start_date, time()),
-                form_date('event_start_date', _("Event start date"), $event_start_date, time()),
-                form_date('event_end_date', _("Event end date"), $event_end_date, time()),
-                form_date('teardown_end_date', _("Teardown end date"), $teardown_end_date, time()),
-                form_info('', _("Here you can write your display message for registration:")),
-                form_text('event_welcome_msg', _("Event Welcome Message"), $event_welcome_msg),
-                form_submit('submit', _("Save")) 
-              )) 
-          ))
-      )) 
-  ));
+      form([
+          div('row', [
+              div('col-md-6', [
+                  form_text('event_name', _("Event Name"), $event_name),
+                  form_info('', _("Event Name is shown on the start page.")),
+                  form_textarea('event_welcome_msg', _("Event Welcome Message"), $event_welcome_msg),
+                  form_info('', _("Welcome message is shown after successful registration. You can use markdown.")) 
+              ]),
+              div('col-md-3', [
+                  form_date('buildup_start_date', _("Buildup date"), $buildup_start_date),
+                  form_date('event_start_date', _("Event start date"), $event_start_date) 
+              ]),
+              div('col-md-3', [
+                  form_date('teardown_end_date', _("Teardown end date"), $teardown_end_date),
+                  form_date('event_end_date', _("Event end date"), $event_end_date) 
+              ]) 
+          ]),
+          div('row', [
+              div('col-md-6', [
+                  form_submit('submit', _("Save")) 
+              ]) 
+          ]) 
+      ]) 
+  ]);
 }
 ?>
diff --git a/includes/sys_page.php b/includes/sys_page.php
index 6863c517..67da83c7 100644
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@@ -18,6 +18,46 @@ function raw_output($output) {
   die();
 }
 
+/**
+ * Checks if given request item (name) can be parsed to a date.
+ * If not parsable, given error message is put into msg() and null is returned.
+ *
+ * @param string $input
+ *          String to be parsed into a date.
+ * @param string $error_message
+ *          the error message displayed if $input is not parsable
+ * @param boolean $null_allowed
+ *          is a null value allowed?
+ * @return ValidationResult containing the parsed date
+ */
+function check_request_date($name, $error_message = null, $null_allowed = false) {
+  if (! isset($_REQUEST[$name]))
+    return new ValidationResult($null_allowed, null);
+  return check_date($_REQUEST[$name], $error_message, $null_allowed);
+}
+
+/**
+ * Checks if given string can be parsed to a date.
+ * If not parsable, given error message is put into msg() and null is returned.
+ *
+ * @param string $input
+ *          String to be parsed into a date.
+ * @param string $error_message
+ *          the error message displayed if $input is not parsable
+ * @param boolean $null_allowed
+ *          is a null value allowed?
+ * @return ValidationResult containing the parsed date
+ */
+function check_date($input, $error_message = null, $null_allowed = false) {
+  if (DateTime::createFromFormat("Y-m-d", trim($input)))
+    return new ValidationResult(true, DateTime::createFromFormat("Y-m-d", trim($input)));
+  if ($null_allowed)
+    return new ValidationResult(true, null);
+  
+  error($error_message);
+  return new ValidationResult(false, null);
+}
+
 /**
  * Gibt den gefilterten REQUEST Wert ohne Zeilenumbrüche zurück
  */
@@ -57,4 +97,38 @@ function check_email($email) {
   return (bool) filter_var($email, FILTER_VALIDATE_EMAIL);
 }
 
+class ValidationResult {
+
+  private $ok;
+
+  private $value;
+
+  /**
+   * Constructor.
+   *
+   * @param boolean $ok
+   *          Is the value valid?
+   * @param * $value
+   *          The validated value
+   */
+  public function ValidationResult($ok, $value) {
+    $this->ok = $ok;
+    $this->value = $value;
+  }
+
+  /**
+   * Is the value valid?
+   */
+  public function isOk() {
+    return $this->ok;
+  }
+
+  /**
+   * The parsed/validated value.
+   */
+  public function getValue() {
+    return $this->value;
+  }
+}
+
 ?>
diff --git a/test/phpunit.xml b/test/phpunit.xml
index a27b9c1d..d6007646 100644
--- a/test/phpunit.xml
+++ b/test/phpunit.xml
@@ -1,11 +1,11 @@
 <phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:noNamespaceSchemaLocation="http://schema.phpunit.de/4.0/phpunit.xsd"
+	xsi:noNamespaceSchemaLocation="http://schema.phpunit.de/4.5/phpunit.xsd"
 	bootstrap="../includes/engelsystem_provider.php" colors="true"
 	convertErrorsToExceptions="true" convertNoticesToExceptions="true"
 	convertWarningsToExceptions="true" forceCoversAnnotation="false">
 	<testsuites>
 		<testsuite name="Models">
-			<directory>model</directory>
+			<directory>model/*</directory>
 		</testsuite>
 	</testsuites>
 	<php>
-- 
cgit v1.2.3-54-g00ecf